0

We are producing IoT gateways which send out emails via SMTP protocol for user notifications. These IoT gateways are mainly used by corporate customers in intranets without access to or from the Internet.

Now we need to decide (as part of the product management) if either emails without authentication should be allowed or if username and password should be required.

Our questions are:

  • Do security policies generally recommend to just run closed relays requiring authentication?
  • Or do these policies enforce open relays motivated by GDPR requirements in order to avoid tracking employees?
WeSee
  • 129
  • 5
  • GDPR does not apply – schroeder Nov 29 '18 at 14:52
  • @schroeder can you expand on why GDPR does not apply? – DarkMatter Nov 29 '18 at 14:54
  • @DarkMatter from the situation as described, PII is not involved in this processing (authenticating to a relay) so GDPR does not apply. PII exists in the emails, but that processing is being done either way. – schroeder Nov 29 '18 at 14:57
  • @schroeder Thanks for elaborating. What you suggest is possibly true but if email addresses are being stored (or IPs or locations or possibly even cookies) as part of this authentication process then it can be considered "personal data" by GDPR. – DarkMatter Nov 29 '18 at 15:03
  • @DarkMatter as described, the recipient's email is not being authenticated, but the device. And the IP, location data is of the sending device, not the data subject. – schroeder Nov 29 '18 at 15:05

2 Answers2

1

Open relays = bad. Anything that can access the relay can send out emails using your domain. Closing relays, like not choosing "password1" as your password is a basic protection.

Only use an open relay if you have other mitigating controls that prevent other nodes from accessing it. Authentication is the easiest way to do this.

But, if you can control network access, there can be ways to create a pseudo-open relay (no auth on the relay, but access controls on other layers). In the past I have used VLANs, NAC, switch port configuration, IP whitelists, etc. with added monitoring and alerting for anomalies. Not the best option, but a risk-based approach if it's the only way forward.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

Big intranets should be considered "not so secure".

Running open relay for use notifications creates risk of easily faked emails => easily faked notifications.

Cover your butt advice:
IF some clients really need open relay
THEN provide an option to change default configuration after hard to not notice warnings.

schroeder
  • 123,438
  • 55
  • 284
  • 319
AnFi
  • 223
  • 1
  • 4